Google Maps for iOS may violate European data protection law

German watchdog says the issue is turning location data sharing on by default.

Not everyone was euphoric when Google Maps for iOS showed up earlier this week. Take the Independent Centre for Privacy Protection in Schleswig-Holstein, Germany for instance. Computerworld spoke to the organization's deputy privacy and information commissioner, Marit Hansen, who expressed concerns about the app's location data sharing. By having this option switched on by default, Hansen says, it violates European data protection law.

When downloading the Google Maps iOS app, users are initially met with location data sharing information. "Anonymous location data will be collected by Google's location service and sent to Google, and may be stored on your device," users are warned. And, as Hansen notes, Google has already made the decision to agree for you. Simply "accept & continue" without another glance, right?

Hansen's main gripe is that Google's use of "anonymous" is misleading. "All available information points to having linkable identifiers per user," she told Computerworld. Hansen added this would allow Google to track several location entries, thus leading to her assumption that Google's "anonymous location data" would be considered "personal data" under the European law.

If you sign into the application then it can identify and track you, but otherwise it's just a random person and not linked to you specifically. That is anonymous, unless other information can be used to identify you (and Google Maps can't go to other apps for such info). A pattern of movements isn't in itself identifying.

Google should turn off the default setting of 'send data back to Google' but the EU is being a little over-the-top on this. I wonder if they notified Google before responding to the media.

If you sign into the application then it can identify and track you, but otherwise it's just a random person and not linked to you specifically. That is anonymous, unless other information can be used to identify you (and Google Maps can't go to other apps for such info). A pattern of movements isn't in itself identifying.

The *whole* point is about the question whether the data can be linked to a specific user or not. If no, google isn't violating any privacy laws and is off the hook. But if it can, that's where the problem starts.

If you sign into the application then it can identify and track you, but otherwise it's just a random person and not linked to you specifically. That is anonymous, unless other information can be used to identify you (and Google Maps can't go to other apps for such info). A pattern of movements isn't in itself identifying.

The *whole* point is about the question whether the data can be linked to a specific user or not. If no, google isn't violating any privacy laws and is off the hook. But if it can, that's where the problem starts.

Someone's going to have to outline how Google can link location data to a specific person, because as far as I can see, it's anonymous until the user specifically does something that removes their anonymity such as signing in.

Google should have turned the data sharing off by default, but I'm not seeing any issues of data privacy here.

It's not anonymous, because they will collect all the data as being from the same person, not just a random data point from possibly anyone.

They could do that, but they don't have to.

Where are these people getting their evidence that Google's actually linking any of the data to a user?

Evidence? You must be new to the Internet.

Google would certainly like you to sign in so they can collect individualized data from you, but it's not required to use the app. They could be a lot less pushy about encouraging you to sign in, though - the prompt seems to pop up every time you want to do something useful in the app.

If you sign into the application then it can identify and track you, but otherwise it's just a random person and not linked to you specifically. That is anonymous, unless other information can be used to identify you (and Google Maps can't go to other apps for such info). A pattern of movements isn't in itself identifying.

The *whole* point is about the question whether the data can be linked to a specific user or not. If no, google isn't violating any privacy laws and is off the hook. But if it can, that's where the problem starts.

Someone's going to have to outline how Google can link location data to a specific person, because as far as I can see, it's anonymous until the user specifically does something that removes their anonymity such as signing in.

Google should have turned the data sharing off by default, but I'm not seeing any issues of data privacy here.

Most of the time you use the navigation to go from you house to somewhere and then go back. I suppose it's not difficult to see a pattern for google.

It's not anonymous, because they will collect all the data as being from the same person, not just a random data point from possibly anyone.

They could do that, but they don't have to.

Where are these people getting their evidence that Google's actually linking any of the data to a user?

Yes, how horrible of those people to go ahead and.. wait, they haven't done anything yet. If they want to follow this possible violation, they'll have to do the same thing as always: First have an official inquiry/investigation and look at what comes out of that.

Someone's going to have to outline how Google can link location data to a specific person, because as far as I can see, it's anonymous until the user specifically does something that removes their anonymity such as signing in.

Even when you are signed in, the data collection settings screen states that it is "anonymous location data".

I verified this, because I left the checkbox ticked when first using the app, figuring it wouldn't hurt to share anonymous information.

Then, I found that I needed to sign in to store favourites on the map. After signing in, I became a bit concerned that the information would no longer be anonymous, so I found the settings screen to turn it off. It still stated explicitly that the information is anonymous, so I left it on.

If the information isn't anonymous, then there are two issues:- The settings screen explicitly states that it is anonymous data, even when signed in.- The initial startup screen asks a question about "anonymous" information. If after sign-in, the data is no longer anonymous, then the answer to that question should be annulled and the user prompted again. After all, a user's consent to provide "anonymous" data can't be interpreted as also giving consent to provide data that identifies the user.

I don't think this is controversial. The law in the EU and member states tends to err on the side of opt-ins, rather than out. For example, you aren't allowed to pre-tick the 'share my name, date of birth, and favourite sexual positions with shady telemarketing companies for a few quick spondulicks' box, and it's rather nice from a consumer protection point of view. I accidentally left the box in question ticked, since I was just tapping through first-run screens. I had to delve fairly deep into the settings to disable sending my location data. Really, a company like Google should know better.

Someone's going to have to outline how Google can link location data to a specific person, because as far as I can see, it's anonymous until the user specifically does something that removes their anonymity such as signing in.

Even when you are signed in, the data collection settings screen states that it is "anonymous location data".

Question is what is 'anonymous'. Is an IP address anonymous? I'd think not in case of a phone. The location data itself isn't even anonymous since it will probably have a pattern identifying my house. So now they have linked my phone to my house. Add google maps data on the browser of my laptop to the mix and Google can link my house, my phone and my laptop together.

Pity the poor Europeans. Their governments treat them like they're helpless children, unable to take care of themselves.

At a Seattle sailing club, I talked with a German student who was amazed by the freedom in our country. In Germany, he told me, to sail a boat on a particular lake you had to have government certification for:

1. That particular class of boat

2.Sailing on that particular lake.

I'd like to give my children the freedom to swim in that lake. It helps if the boats on the lake are controlled by people who can. Just like a drivers licence for cars. Weird huh? Freedom is a complex thing.

This does raise an interesting question: can location data BE "anonymous"? I mean, if Google has data that user #1093fa0d3 spends roughly 8 hours a day during the week sitting in a particular spot in an office building, frankly it's pretty trivial to link the data to a particular user. I mean, if you have location data from any particular source, chances are very, very good that they follow the pattern of spending the vast majority of their time in two locations: work (or school) and home. With these two data points, one can make quite a guess of who you are, with a modicum of extra investigative work. Going in the other direction isn't difficult,either (although it may take some time to go through the mountains of data): knowing someone's work and home locations, one could go through "anonymous" location data and drill that down to a handful of "anonymous users".

1) Proclaim you are not evil2) Do evil.3) If not caught, continue doing evil.4) When caught, proclaim innocence, but pay fine without admitting guilt5) Go to step 1

There was a Gruber-esque theory posited somewhere that the Larry/Sergey engineering groups are mostly non-evil, but that the bean-counters are usually bog standard evil, and there is internal strife about the fate of the Google-soul...

Question is what is 'anonymous'. Is an IP address anonymous? I'd think not in case of a phone. The location data itself isn't even anonymous since it will probably have a pattern identifying my house.

If Google links the data to an end-user in any way, it's not anonymous. If they store IP addresses, account names, or even phone identifiers, it's not anonymous.

Anonymous data collection would consist of individual data packets being sent back to the server and collated to indicate the relative concentration of users in various locations and the speed at which they are moving. That is useful for estimating traffic levels and congestion patterns.

If they can reconstruct long-term movement patterns for individual users from the data on the server, it can't really be considered anonymous.

Are you under the mistaken impression that each phone has a dedicated IP?

I've no idea. Never checked. It will have when I'm at home using my wifi. The app can then link that ip to my phone and from there on gather the data. With big data a lot is possible.

Most phones are NATed by the carrier. They don't have an external IP at all.

However, there are other ways to track users, from unique IDs generated by the app, to unique IDs (such as IMEIs) for the phone itself. Apple bans the latter, but can't really do anything about the former.

1) Proclaim you are not evil2) Do evil.3) If not caught, continue doing evil.4) When caught, proclaim innocence, but pay fine without admitting guilt5) Go to step 1

The semi-official motto was Don't be Evil (this is long since been dropped). It's easy for Google to get a pass here on semantics alone. Companies cannot be evil. But even if they could, think about the evil that Google does and compare it to other evils. Google's practices hardly fit the definition of evil.

Beyond that Google long ago elaborated on what being evil was, and it was as I recall two or three things related to search ads and money. Don't make paid ads look like search results. Don't take money for preferential search results placement. Google does neither, and is holding up to their definition of not "being evil."

Aside from all that evil stuff, this opt-in vs. opt-out stuff has a very simple solution. Instead of a checkbox and a button you have two buttons. You leave the explanation there as is and each button is something along the lines of "Agree to terms with location tracking enabled and continue" and "Agree to terms with location tracking disabled and continue." It's a mouthful, they'll be big buttons, but unambiguous and you are not making a choice one way or another for the user. They ostensibly explicitly choose which they want.

It's not anonymous, because they will collect all the data as being from the same person, not just a random data point from possibly anyone.

They could do that, but they don't have to.

Where are these people getting their evidence that Google's actually linking any of the data to a user?

From Google itself. They say they want the data to measure traffic. They can't measure traffic without at least two data points from the same phone. So they have to keep track of which phone is sending the data. Therefore, they are linking data to a specific user.

they actually DIDN'T "deliberately" capture the data - they realized there was some legacy code from their testing phase, and they brought it to the public's attention. they hired a third party data destruction consultant to verify that the data was destroyed. if they hadn't come forward, i wonder how the world would have found out about it. we would have eventually, but the fact that they stepped up before a scandal broke out, says something.

obviously, i like google. i try to keep their business practices in a sense of proportion to the "don't be evil" credo they established in their IPO (which i encourage people to read).

i honestly believe that larry and sergey truly believe in their initial goal of "organizing the worlds data" and frankly, i think they've done a great job. google earth is an amazing tool for understanding geo-centric global data. not to mention free word processing, spreadsheeting, presentationing, emailing, video sharing, fusion tables is pretty handy and then of course being able to get relevant results in your search queries. digitising books? amazing. street viewing the inside of businesses? amazing. moon mapping? mars mapping? amazing. amazing. gigapixel images of paintings in a variety of museums? amazing.

and all they ask is to log my search queries? fine! i know google knows about me WAY more than i do. but hey, if it keeps funding these free tools for the world., then fine, i'm all for it.

and so they chose the model of advertising to fund this goal, which i think simply demonstrates the genius of the company - choose a model that will never go away, will most definitely increase every year, and doesn't necessarily rely on the sale of a product.

Pity the poor Europeans. Their governments treat them like they're helpless children, unable to take care of themselves.

At a Seattle sailing club, I talked with a German student who was amazed by the freedom in our country. In Germany, he told me, to sail a boat on a particular lake you had to have government certification for:

1. That particular class of boat

2.Sailing on that particular lake.

Dreadful, I thought. It destroys you confidence in yourself and trains you, from a very early age, to obey authorities. The Germans, you may remember, have a bit of a problem in that area. Now, thanks to the EU, it may become a Europe-wide problem. Sad. And socialized medicine in intended to steer us in that same direction, to make us like those passive Europeans.

I guess you've never owned a boat in Florida, then.

1. Mandatory schooling for anyone operating any pleasure craft with an engine or a sail. (Human-powered boats are excluded.)2. Additional schooling for large craft3. After passing school, you must get a state-issued operator's license4. Licensing for the craft itself5. Insurance on the craft6. Coast Guard approved personal safety devices (i.e., life vests)

All of the above are required, before you set any pleasure craft into any body of water.

No, you don't have to be certified to sail on a particular body of water, but it would show a serious lack of foresight to (a) not ask someone where the hazards are, or (b) not consult a map and/or your depth finder.

I suspect Florida is stricter than most states, but I'd reckon the state of Washington doesn't just let you drop a boat in the water and take off, either.

The regulations are not meant to make you a helpless child. They are meant to keep you from being dead, which is statistically more likely, when you can crash and then immediately drown. The Germans also have stricter driving rules. Since you can go 150 mph on the Autobahn, that makes perfect sense to me.

Are you under the mistaken impression that each phone has a dedicated IP?

I've no idea. Never checked. It will have when I'm at home using my wifi. The app can then link that ip to my phone and from there on gather the data. With big data a lot is possible.

Most phones are NATed by the carrier. They don't have an external IP at all.

However, there are other ways to track users, from unique IDs generated by the app, to unique IDs (such as IMEIs) for the phone itself. Apple bans the latter, but can't really do anything about the former.

Apple replaced the hardware UDID with three Identifier APIs in iOS 6. These three IDs together could very possibly be used to de-anonymize your data with greater accuracy.

Kinda funny to see all Google hate, when your mobile operator are capable of tracking your every move, even with cellphone switched off.

Anyway, when web service (not just maps, almost anything) tells states that user data is anonymous, it means how they process it and store it. Of course on collection step it's not anonymous. But after processing it is.

I have to admit, I to totally missed that checkbox when I first opened up the app. Without this article I wouldn't have been aware of it at all. I know, I should read more carefully what I agree to, but you know how it is ... I would have expected better from a company like google than just push you into this.

I don't believe google will anyhow abuse my location data. And I guess I would have agreed anyway, but its just not a good business practice.

Kinda funny to see all Google hate, when your mobile operator are capable of tracking your every move, even with cellphone switched off.

Anyway, when web service (not just maps, almost anything) tells states that user data is anonymous, it means how they process it and store it. Of course on collection step it's not anonymous. But after processing it is.

The mobile provider can do that but that is not the motivation for their business existing, unlike Google which is an ad and user data collection company.